Menu

SSH keys on a yubikey

There is something oddly satisfying about having my private ssh keys only on a hardware device where they cannot be directly accessed.

For the past 6 months I've been using a yubikey for SSH access to my servers and github. In this configuration the private key only exists on the yubikey and cannot be transferred to the host computer. All cryptographic operations that require the private key are preformed on the yubikey. Here's how I set it up.

Configure the yubikey

I disabled all other modes since I only cared about using this as an OpenGPG smart card.

Create a key

gpg2 --card-edit
gpg/card> admin
gpg/card> generate

At this point a new keypair is on your yubikey. Your public key will be added to your gpg keychain. Note that you won't be able to retrieve your public or (private key) from the yubikey. You may want to backup or publish your public key to a key server - but I'll leave that as an exercise to the reader.

gpg/card> quit

To turn your newly minted GPG public key into an ssh formatted public key:

gpgkey2ssh <key id>

and you will get...

ssh-rsa AAAa1NUMBERSandLETTERS COMMENT

I suggest changing to COMMENT to something more descriptive, like your name or email address then save that off your github or digitalocean.

Add the following to your .bash_profile so that your ssh agent (gpg-agent) will know to also use your yubikey.